Evan Schuman's StorefrontBacktalk

When it comes to CRM data, what’s perfectly OK for retailers to collect from adults using a mobile app just got a lot trickier when kids are involved. On Monday (Aug. 15), the Federal Trade Commission announced that an iPhone app developer was fined $50,000 for collecting 30,000 E-mail addresses from users who might (or might not) be children—the first time the FTC has gotten involved in an app-related case. Even more daunting, the settlement required the firm to “delete all personal information collected in violation of the Rule.”

The money is painful enough, but at least that is easily doable. Once this type of information is gathered, it is copied in potentially dozens of places (marketing, a third-party E-mail service, backup disks, thumb drives that employees take home, different spreadsheets for analyzing different projects, etc.) and subsidiary information (the fruit of the poisonous tree, as they’d say in legal circles) may be in far more. An FTC order that comes in six months after the fact may be all-but-impossible to fully comply with.

The developer, Broken Thumbs Apps, isn’t a retailer. But the case sets a standard for retailers whose apps may be used by children younger than 13: Offering underage customers kid-friendly activities puts you squarely in the FTC’s sights unless you get parents’ permission for every child’s information—even if the information will only be used internally.

The apps in question were definitely aimed at sub-teenage kids, who fall under the Children’s Online Privacy Protection Act (COPPA) of 1998. According to the FTC’s complaint, more than 59,000 Broken Thumbs apps aimed at “younger girls and nostalgic adults” were downloaded from Apple’s App Store since early 2010, including “Emily’s Girl World” and “Emily’s Dress Up & Shop app.”

Those apps invited kids to send E-mails to “Emily,” post “shout-outs” to friends and family members, ask Emily’s advice, share embarrassing “blush” stories, submit art and pet photographs, and send in inspirational quotes, in addition to registering to submit comments. Only about 600 users registered, but Broken Thumbs was storing more than 30,000 E-mails to “Emily.”

The FTC didn’t suggest that Broken Thumbs Apps was planning to use those E-mail addresses improperly. But just the fact that the company collected those addresses was enough to violate COPPA and get Emily’s creators in trouble with the FTC. The problem: No notice online of what information the company collected from children and how the information would be used, and no parental consent before any personal information was collected.

That was sloppy on the part of Broken Thumbs Apps (whose official corporate name is W3 Innovations, but we like Broken Thumbs better). Although the company knew it was marketing to young kids, it apparently didn’t know the tight restrictions on marketing to those kids online—and it paid the price.

Think you’re not in a similar position just because your phone apps aren’t intended for children younger than 13? You’re too optimistic—especially if you have apps aimed at teenagers. Those are exactly the apps that some pre-teens are likely to want. You can’t afford to assume that any CRM data you collect with those apps is going to be pre-teen clean.

Unfortunately, there’s also no obvious safe harbor for collecting that CRM data, and no way of knowing which good-faith efforts will be enough. Asking for an age or birth date may be enough to keep you out of trouble with the FTC—or maybe it won’t be. COPPA requires parental notification and consent for under-13 users, but playing it safe by requiring that from all users is an almost perfect way to drive teenagers away.

It’s probably going to take a few more fines before we have any clear idea of what is safe ground and what will attract the FTC’s attention. But now that the FTC has discovered apps, those fines are surely coming.